Testing your eduroam setup (especially when you are new) can be daunting. The developers of the wpa_supplicant software on Linux provide a handy tool called eapol_test that will test an EAP authentication flow like a client with a lot of debug information.
eapol_test is traditionally only available on Linux. Instructions to build it for Linux and for Windows are below.
Linux
Build on Linux
Preparatory work
Install the usual build-tools:
sudo apt-get install build-essential
Install the OpenSSL development files:
sudo apt-get install libssl-dev
Building eapol_test
Download wpa_supplicant's source at https://w1.fi/releases/wpa_supplicant-2.9.tar.gz
Unpack the wpa_supplicant distribution, change into the wpa_supplicant/ subdirectory and create the default config file by executing
cp defconfig .config
Then, enable compilation of eapol_test by editing the .config file and setting (i.e. uncommenting)
CONFIG_EAPOL_TEST=y
You can then compile eapol_test with
make eapol_test
Windows
Currently the instructions for Windows depend on using a Linux host (such as a virtual machine or a container if you are using Docker or similar). The instructions following here are for virtual machine-based building.
Cross-compile on Linux for Windows
Preparatory work
Install Ubuntu 20.
Install MinGW:
sudo apt-get install mingw-w64
Install the usual build-tools:
sudo apt-get install build-essential
Configuration
Create the script file /usr/bin/mingw64
#!/bin/sh PREFIX=x86_64-w64-mingw32 export CC=$PREFIX-gcc export CXX=$PREFIX-g++ export CPP=$PREFIX-cpp export AR=$PREFIX-ar export AS=$PREFIX-as export NM=$PREFIX-nm export WINDRES=$PREFIX-windres export RANLIB=$PREFIX-ranlib export ADDR2LINE=$PREFIX-addr2line export DLLTOOL=$PREFIX-dlltool export DLLWRAP=$PREFIX-dllwrap export ELFEDIT=$PREFIX-elfedit export OBJCOPY=$PREFIX-objcopy export OBJDUMP=$PREFIX-objdump export READELF=$PREFIX-readelf export SIZE=$PREFIX-size export STRINGS=$PREFIX-strings export STRIP=$PREFIX-strip export WINDMC=$PREFIX-windmc export GCOV=$PREFIX-gcov export PATH="/usr/x86_64-w64-mingw32/bin:$PATH" exec "$@"
Make it executable by all
sudo chmod a+x /usr/bin/mingw64
Building the sources
Download eapol_test.c.patch and eapol_test.config from https://github.com/janetuk/eapol_test
Download libtommath's source at https://github.com/libtom/libtommath/releases/download/v1.2.0/ltm-1.2.0.tar.xz
Download wpa_supplicant's source at https://w1.fi/releases/wpa_supplicant-2.9.tar.gz
Unpack the libtommath distribution. Note the directory you unpacked it to. You will need it when you build eapol_test.exe
Change to the libtommath directory. Run the build command
mingw64 make
This should build successfully and leave you with a library in the directory.
Unpack the wpa_supplicant distribution. Copy eapol_test.config to the wpa_supplicant subdirectory
cp eapol_test.config wpa_supplicant-2.9/wpa_supplicant/.config
Change to the wpa_supplicant subdirectory.
Edit the .config file. Find the line ifndef CONFIG_INTERNAL_LIBTOMMATH, change the line below it to the directory you built libtommath in:
LTM_PATH=<directory where you built libtommath>
Run the patching command to fix eapol_test.c
patch eapol_test.c <full path to eapol_test.c.patch>
Run the build command
CFLAGS=" -Wno-error=pointer-to-int-cast -MMD -O2 -g -w" mingw64 make eapol_test
You should now have an eapol_test.exe with around 6707168 bytes in size.
Copy this to a Windows box. Run it without parameters. It should display command-line parameters.
Testing with eapol_test
Testing with eapol_test on Linux or Windows will ultimately yield the same results. The configuration files for use with the utility are identical on either platform. Here is a sample configuration file you can use.
Configuration file
network={
phase1="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=0 tls_disable_tlsv1_3=1 peapver=0"
key_mgmt=WPA-EAP
eap=PEAP
identity="<username@realm>"
anonymous_identity="@realm"
password="<userpassword>"
phase2="eapauth=MSCHAPV2"
# ca_cert="<full path of the CA root certificate>"
}
To use server certificate validation, uncomment the ca_cert line.
To test various TLS handshakes within PEAP, enable (set to 0) the appropriate tls_disable_tlsv1... option.
To use EAP-TTLS, change the eap= line to TTLS
To change the second-phase authentication, you can either use an EAP inner method by specifying 'eapauth=', or a non-EAP inner method by specifying 'auth=' in the phase2= line.
For complete information on the configuration file format, visit https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf